Madhukar Hiriadka
Madhukar Hiriadka

Reputation: 279

ADB2C AcquireTokenSilent behavior

I am trying to use MSAL library in my Angular 5 SPA. I am slightly confused about the behavior of AcquireTokenSilent() function.

Currently in my application, i need to refresh my access token every 5 mins. As i understand since MSAL.js uses implicit grant flow, it does not allow us to refresh token.

So tried to make use of AcquireTokenSilent() function to fetch new token and it does return new token, with new expiry date for the token. Once my application passes through "web app session with OpenID Connect" time (minutes) of ADB2C configuration, this function does not return token and tells me that user session has expired. This is the expected behavior.

Now my question is:

  1. How does AcquireTokenSilent() function behaves internally?

  2. Can i make user of this function to get new token every 5 mins? Can we link this access token to get a new token based on lifetime of a refresh token. Currently not sure on what basis it fetches new token. Currently it fetches new token until "web app session with OpenID Connect" is still alive.

Upvotes: 1

Views: 875

Answers (1)

juunas
juunas

Reputation: 58773

How does AcquireTokenSilent() function behaves internally?

It first tries to get a token from its cache. Then if that fails, it uses a hidden iframe to try and get a new one. The URL it uses for it is the same as for normal login, except it uses prompt=none. This makes it return a token in the redirect if the user has an active session. If the session has expired it returns an error.

Here is the JSDoc for acquireTokenSilent:

/*
   * Used to get the token from cache.
   * MSAL will return the cached token if it is not expired.
   * Or it will send a request to the STS to obtain an access_token using a hidden iframe. To renew idToken, clientId should be passed as the only scope in the scopes array.
   * @param {Array<string>} scopes - Permissions you want included in the access token. Not all scopes are  guaranteed to be included in the access token. Scopes like "openid" and "profile" are sent with every request.
   * @param {string} authority - A URL indicating a directory that MSAL can use to obtain tokens.
   * - In Azure AD, it is of the form https://&lt;tenant&gt;/&lt;tenant&gt;, where &lt;tenant&gt; is the directory host (e.g. https://login.microsoftonline.com) and &lt;tenant&gt; is a identifier within the directory itself (e.g. a domain associated to the tenant, such as contoso.onmicrosoft.com, or the GUID representing the TenantID property of the directory)
   * - In Azure B2C, it is of the form https://&lt;instance&gt;/tfp/&lt;tenant&gt;/<policyName>/
   * - Default value is: "https://login.microsoftonline.com/common"
   * @param {User} user - The user for which the scopes are requested.The default user is the logged in user.
   * @param {string} extraQueryParameters - Key-value pairs to pass to the STS during the  authentication flow.
   * @returns {Promise.<string>} - A Promise that is fulfilled when this function has completed, or rejected if an error was raised. Resolved with token or rejected with error.
   */

Can i make user of this function to get new token every 5 mins? Can we link this access token to get a new token based on lifetime of a refresh token. Currently not sure on what basis it fetches new token. Currently it fetches new token until "web app session with OpenID Connect" is still alive.

There are no refresh tokens for a native app. They run in an untrusted environment and thus cannot be trusted with a refresh token.

The approach you should use is:

Try to get a token with acquireTokenSilent. If it fails, re-authenticate the user / show them a page explaining that they need to login again + button to do so.

Upvotes: 1

Related Questions